# Choose your authentication approach Authgear provides token-based or cookie-based authentication. You will need to decide which approach you are going to use before starting the setup. | | **Token-based** | Cookie-based | | -------------------- | --------------------------------------------------- | ----------------------------------------------------------------------------- | | Suitable for | **mobile apps** or **single-page web applications** | **Websites** in the same root domain (e.g. Server-side rendered applications) | | Transport of session | **Access Token** in `Authorization` header | **Session ID** in Cookies | ## Token-based authentication This approach is suitable for **mobile apps** or **single-page web applications**. In Token-based authentication, Authgear returns the `access token` and `refresh token` to the client app after authentication. The client SDK will automatically renew the `access token` with the `refresh token` for you, so you don't have to worry about it. Your client app should call your backend with the access token in the Authorization header, and you can verify the access token by integrating Authgear with your backend. The HTTP requests can be authenticated by [**Forwarding to Authgear Resolver Endpoint**](/~/changes/anTCj6yoZ06s3pLJk5v8/get-started/backend-api/nginx.md) or [**Validating JWT in your application server**](/~/changes/anTCj6yoZ06s3pLJk5v8/get-started/backend-api/jwt.md). Request example: ```bash > GET /api_path HTTP/1.1 > Host: yourdomain.com > Authorization: Bearer ``` {% content-ref url="/pages/-MbFM4jLlPG\_W3D2lh3i" %} [Token-based (Native mobile or Single-page app)](/~/changes/anTCj6yoZ06s3pLJk5v8/get-started/authentication-approach/token-based.md) {% endcontent-ref %} ## Cookie-based authentication This approach is suitable for **all types of websites**, including server-side rendered applications. In Cookie-based authentication, Authgear returns `Set-Cookie` headers and sets cookies to the browser. The cookies are HTTP only and share under the same root domains. So you will need to setup the **custom domain** for Authgear, such as `identity.yourdomain.com`. In this setting, if you have multiple applications under `yourdomain.com`, all applications would share the same session cookie automatically. After that, you can verify the cookies by integrating Authgear with your backend. The HTTP requests *must* be authenticated by [**Forwarding to Authgear Resolver Endpoint**](/~/changes/anTCj6yoZ06s3pLJk5v8/get-started/backend-api/nginx.md). Request example: ```javascript > GET /api_path HTTP/1.1 > Host: yourdomain.com > cookie: session= ``` {% content-ref url="/pages/-MbFM4jMrcQjbyof5aMh" %} [Cookie-based (Website or Single-page app)](/~/changes/anTCj6yoZ06s3pLJk5v8/get-started/authentication-approach/cookie-based.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.authgear.com/~/changes/anTCj6yoZ06s3pLJk5v8/get-started/authentication-approach.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.